b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Could Improve Controls Over\n       Mainframe System Software\n       Report No. 2007-P-00008   \n\n\n       January 29, 2007\n\n\x0cAbbreviations\n\nEPA         U.S. Environmental Protection Agency\nNCC         National Computer Center\nNIST        National Institute of Standards and Technology\nOEI         Office of Environmental Information\nOIG         Office of Inspector General\nOTOP        Office of Technology Operations and Planning\nRTP         Research Triangle Park\n\x0c                       U.S. Environmental Protection Agency                                              2007-P-00008\n\n                                                                                                      January 29, 2007 \n\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                            Catalyst for Improving the Environment\n\nWhy We Did This Review            EPA Could Improve Controls Over Mainframe\nWe sought to determine if         System Software\naccess to and modification of\nmainframe system software at       What KPMG Found\nthe U.S. Environmental\nProtection Agency (EPA)           KPMG identified several weaknesses in EPA\xe2\x80\x99s internal controls over its\nNational Computer Center in\n                                  mainframe system software, including:\nResearch Triangle Park in\nRaleigh, North Carolina, is\ncontrolled in accordance with         \xc2\xbe   Roles and responsibilities were not clearly assigned. \n\nAgency and Federal guidance,          \xc2\xbe   Change controls were not performed in accordance with Agency policies. \n\nas well as best practices.            \xc2\xbe   Policies, procedures, and guides could be strengthened. \n\n                                      \xc2\xbe   Security settings for sensitive datasets and programs were not effectively\n\nBackground                                configured or implemented.\n\nThe EPA\xe2\x80\x99s Office of Inspector     As a result of these weaknesses, EPA is exposed to greater risk since its\nGeneral contracted KPMG,          mainframe system software could potentially be compromised.\nLLP (KPMG) to conduct an\naudit of mainframe system          What KPMG Recommends\nsoftware. Controls over\nsystem software access and        KPMG recommends that the Office of Environmental Information:\nmodifications are designed to\n(1) limit and/or monitor access       \xc2\xbe\t Improve management oversight and review of primary support contractor\nto system software resources             activity, and clearly assign roles and responsibilities to ensure personnel\nto protect against unauthorized          are held accountable.\nmodification, loss, and               \xc2\xbe Ensure change control procedures are performed in accordance with\ndisclosure; (2) reduce the risk          existing Agency and Federal guidance.\nof the introduction of                \xc2\xbe Strengthen existing policies, procedures, and guides to establish standards\nunauthorized changes; and (3)            for implementing key security controls for mainframe system software.\nlimit and monitor access to           \xc2\xbe Appropriately configure and implement security settings for sensitive\npowerful system software                 datasets and programs.\nprograms.\n                                  This report contains material that is confidential business information, proprietary\n                                  information, or source selection information. Unauthorized disclosure of this\nFor further information,\ncontact our Office of\n                                  Appendix or any of its content may violate the provisions of the Trade Secrets\nCongressional and Public          Act, 18 U.S.C. 1905; the Procurement Integrity Act, 41 U.S.C. 423; the Freedom\nLiaison at (202) 566-2391.        of Information Act, 5 U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the\n                                  Federal Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the\nTo view the full report,          sensitive nature of the report\xe2\x80\x99s technical findings, the Office of Inspector General\nclick on the following link:\nwww.epa.gov/oig/reports/2007/\n                                  removed Appendices A and B from the public version of the report.\n20070129-2007-P-00008.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF \n\n                                                                                  INSPECTOR GENERAL\n\n\n\n                                        January 29, 2007\n\nMEMORANDUM\n\nSUBJECT:       EPA Could Improve Controls Over Mainframe System Software\n               Report No. 2007-P-00008\n\nTO:            Molly A. O\xe2\x80\x99Neill\n               Assistant Administrator for Environmental Information and\n               Chief Information Officer\n\n\nThis is the final report on the subject audit conducted by KPMG, LLP, on behalf of the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This report\ncontains findings that describe the problems KPMG auditors have identified and corrective\nactions KPMG recommends. This audit report represents the opinion of KPMG and does not\nnecessarily represent the final EPA position. Final determination on matters in this report will be\nmade by EPA managers in accordance with established audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by adding the contract costs and multiplying the\nproject\xe2\x80\x99s staff days by the applicable daily full cost billing rates in effect at the time \xe2\x80\x93 is\n$554,029.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective action plan for agreed upon\nactions, including milestone dates. Due to the sensitive nature of the technical findings, we have\nremoved Appendices A and B from the report version made available to the public. The public\ncopy of this report will available at http://www.epa.gov/oig. Additional copies of the full report\ncan be obtained by contacting our Office of Congressional and Public Liaison at (202) 566-2391.\n\nIf you or your staff have any questions, please contact Rudolph M. Brevard, Director,\nInformation Resources Management Assessments at (202) 566-0893 or brevard.rudy@epa.gov.\n\n\n                                             Sincerely,\n\n\n\n                                             Bill A. Roderick\n                                             Acting Inspector General\n\x0cFinal Audit Report\n\n\n\n\n       EPA Could Improve Controls Over\n       Mainframe System Software\n\n\n       January 29, 2007\n\x0c                    EPA Could Improve Controls Over Mainframe System Software\n\n\n\n                                Table of Contents \n\n\nChapters\n 1    Overview ................................................................................................................    1     \n\n\n              Background ....................................................................................................      1         \n\n              Objectives and Scope ....................................................................................            1         \n\n              Methodology ...................................................................................................      2         \n\n\n 2    Results in Brief ......................................................................................................      4\n\n\n 3    Improvements Needed in the Assignment of Roles and Responsibilities ......                                                   5\n\n\n              Recommendations .........................................................................................            6         \n\n              Agency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation.................................................                             7\n\n\n 4    Change Controls Need Improvements ................................................................                           8\n\n\n              Recommendations .........................................................................................            9         \n\n              Agency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation.................................................                            10 \n\n\n 5    Policies, Procedures, and Manuals Can Be Improved.......................................                                    12\n\n\n              Recommendations .........................................................................................           12         \n\n              Agency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation.................................................                            13 \n\n\n Status of Recommendations and Potential Monetary Benefits.................................                                       14\n\n\n\n\nAppendices\n A    Detailed Findings Related to Technical Controls Over\n      Sensitive Datasets and Programs .......................................................................                     16\n\n\n B    Agency Response to Technical Control Findings Disclosed in Appendix A ..                                                    17\n\n\n C    Agency Response to Draft Audit Report (Chapters 3 \xe2\x80\x93 5).................................                                     18\n\n\n D    Audit Criteria..........................................................................................................    24\n\n\n E    Distribution ............................................................................................................   29\n\n\x0c                               Chapter 1\n                                   Overview\n\nBackground\n         The U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) Office of Inspector\n         General (OIG) engaged KPMG, LLP to conduct an audit of access to and\n         modification of the EPA\xe2\x80\x99s mainframe system software housed at the Agency\xe2\x80\x99s\n         National Computer Center (NCC). The NCC is located at the Research Triangle\n         Park (RTP) campus in Raleigh, North Carolina.\n\n         The EPA\xe2\x80\x99s mainframe is a general support system that supports large-scale data\n         processing and provides a national data repository for the Agency\xe2\x80\x99s\n         environmental, administrative, financial, and scientific systems. Users of the\n         mainframe include the Agency\xe2\x80\x99s program and regional offices, laboratories, and\n         external business partners (e.g., states, universities, and others, such as qualified\n         agencies and contractors, with public access requirements).\n\n         The NCC has organizational responsibility for the mainframe. The NCC is part of\n         the EPA\xe2\x80\x99s Office of Environmental Information\xe2\x80\x99s (OEI) Office of Technology\n         Operations and Planning (OTOP). Maintenance and security administration of\n         the mainframe is performed by a primary support contractor.\n\nObjectives and Scope\n         Controls over access to and modifications of system software are designed to (1)\n         limit and/or monitor access to system software resources to protect against\n         unauthorized modification, loss, and disclosure; (2) reduce the risk of the\n         introduction of unauthorized changes; and (3) limit and monitor access to\n         powerful system software programs.\n\n         KPMG was engaged to audit only the system software controls associated with\n         the mainframe system. The audit was conducted to assess whether EPA\n         implemented adequate controls over access to and modification of the mainframe\n         system software. The scope of our audit included an evaluation of system\n         software and logical access controls as defined by the Government Accountability\n         Office\xe2\x80\x99s (GAO\xe2\x80\x99s) Federal Information System Control Audit Manual (FISCAM):\n\n         \xc2\xbe\t System Software Controls. System software is a set of programs designed to\n             operate and control the processing activities of computer equipment.\n             Examples of system software include operating system software, system\n             utilities, program library systems, file maintenance software, security\n             software, data communication systems, and database management systems.\n\n\n                                            1\n\n\x0c              System software helps control and coordinate the input, processing, output,\n              and data storage associated with all of the applications that run on a system.\n              Some system software can change data and program code on files without\n              leaving an audit trail. Controls over access to and modification of system\n              software are essential in providing reasonable assurance that operating system-\n              based security controls are not compromised and that the system will not be\n              impaired.\n\n         \xc2\xbe\t Access Controls. Access controls should provide reasonable assurance that\n              computer resources (data files, application programs, and computer-related\n              facilities and equipment) are protected against unauthorized modification,\n              disclosure, loss, or impairment. Such controls include logical controls, such\n              as security software programs designed to prevent or detect unauthorized\n              access to sensitive files. The objectives of limiting access are to ensure that:\n\n              \xe2\x80\xa2\t users have only the access needed to perform their duties;\n              \xe2\x80\xa2\t access to very sensitive resources, such as security software programs, is\n                 limited to very few individuals; and\n              \xe2\x80\xa2\t employees are restricted from performing incompatible functions or\n                 functions beyond their responsibility.\n\nMethodology\n         Our audit methodology was primarily derived from Section 3.4 of GAO\xe2\x80\x99s\n         FISCAM. The FISCAM provides guidance that describes the computer-related\n         controls that auditors should consider when assessing the integrity,\n         confidentiality, and availability of computerized data. We supplemented our\n         FISCAM-based audit procedures with additional auditor-designed steps to ensure\n         that the audit was appropriately tailored to EPA\xe2\x80\x99s mainframe environment.\n         Controls were tested for compliance with National Institute of Standards and\n         Technology (NIST) 800-series guidance, EPA-specific policies and procedures,\n         and other Federal guidance and industry best practices. For specific criteria, refer\n         to Appendix B.\n\n         We conducted the audit in accordance with Generally Accepted Government\n         Auditing Standards (GAGAS) issued by the Comptroller General of the United\n         States.\n\n         We conducted audit steps to determine if:\n\n         \xc2\xbe\t access authorizations over mainframe system software are approved, limited\n            to access necessary to perform assigned functions, and periodically reviewed;\n\n         \xc2\xbe\t system software changes are authorized, tested, and approved prior to\n            implementation;\n\n\n\n                                            2\n\n\x0c\xc2\xbe\t installation of system software is documented and reviewed;\n\n\xc2\xbe\t policies and procedures have been implemented to define appropriate\n   authorized use of and to monitor use system utilities; and\n\n\xc2\xbe\t inappropriate or unusual activity is investigated and appropriate actions taken.\n\nAudit fieldwork consisted of inspecting documentation, interviewing NCC federal\nand primary support contractor personnel, and conducting tests. Examples of\ntests we performed included assessing (1) security configurations and settings, (2)\nprogrammer access and privileges to system software and sensitive programs, and\n(3) recent software changes against Agency guidelines and best practices.\nFieldwork was performed at the NCC from March 2006 through June 2006.\n\nAt the start of audit fieldwork, KPMG obtained documentation for review and\nconducted an initial site visit to the NCC to gain an understanding of how EPA\nmanages configuration, access to, and modifications of mainframe system\nsoftware. During the initial visit, the audit team also validated the mainframe\nenvironment, which had been documented in a survey completed by EPA\nmanagement prior to the start of the audit. Over the course of the audit, additional\nsite visits were conducted to interview NCC and primary support contractor\npersonnel and to conduct audit testing.\n\n\n\n\n                                 3\n\n\x0c                      Chapter 2\n                    Results in Brief\n\nWe positively noted EPA management\xe2\x80\x99s and the primary support contractor\xe2\x80\x99s\ndedication and proactive approach to ensuring and improving the security of the\nmainframe system software and protecting the Agency\xe2\x80\x99s information assets.\nWhile our audit did not uncover any breaches in mainframe system software\nsecurity, we noted that controls over access to and modification of mainframe\nsystem software can be improved. These weaknesses are discussed in the\nfollowing chapters:\n\n\xc2\xbe\t Improvements Needed in the Assignment of Roles and Responsibilities\n   (Chapter 3)\n\n\xc2\xbe\t Change Controls Need Improvements (Chapter 4)\n\n\xc2\xbe\t Policies, Procedures, and Guides Can Be Improved (Chapter 5)\n\nIn general, we recommend that EPA management:\n\n\xc2\xbe\t Improve management oversight and review of primary support contractor\n   activities and clearly assign roles and responsibilities to ensure personnel are\n   held accountable.\n\n\xc2\xbe\t Ensure change control procedures are performed in accordance with existing\n   Federal and Agency guidance.\n\n\xc2\xbe\t Strengthen existing policies, procedures, guides, and supporting processes to\n   establish standards for implementing key security controls for mainframe\n   system software.\n\n\xc2\xbe\t Appropriately configure and implement security settings for sensitive datasets\n   and programs.\n\nEach of the weaknesses included in this report were initially discussed with EPA\nmanagement during audit fieldwork as potential observations to validate the\nfactual accuracy of our results. Chapters 3 through 5 of this report provide a\nsummary discussion of each audit finding. Due to the sensitive nature of the\nfindings related to the mainframe technical controls, we summarized the results in\nAppendix A and provided the details to EPA personnel. Appendix A will be\nremoved from the final report released to the public.\n\n\n\n\n                                 4\n\n\x0c                        Chapter 3\nImprovements Needed in the Assignment of\n       Roles and Responsibilities\n\n  EPA does not have effective oversight processes in place to help ensure that\n  technical controls over sensitive datasets and programs are appropriately\n  implemented. The OEI Information Security Manual requires Information\n  Managers to receive written requests before creating system accounts or granting\n  users privileges to use a system. The manual also requires Information Managers\n  to conduct monthly reviews of system logs, support requests, and previous review\n  findings. The Enterprise Server (Mainframe) Security Plan also states that\n  monitoring of system and user activity for security violations is to be performed\n  daily and in real time. However, we found that NCC personnel did not follow\n  established policy. In addition, we requested but were unable to obtain evidence\n  that NCC personnel performed periodic reviews and revalidation of the\n  mainframe access. Further, NCC personnel had not activated system logging to\n  create the necessary audit trails to verify system changes and users\xe2\x80\x99 activity.\n\n  These weaknesses exist because EPA had not assigned the roles and\n  responsibilities for monitoring and reviewing mainframe system software\n  security. EPA had not clearly defined the duties for monitoring and reviewing\n  mainframe system software security. Nor had the NCC assigned the duties to\n  specific groups, personnel, or contractors to ensure accountability. We also found\n  that NCC personnel or primary support contractors, who are responsible for\n  monitoring and reviewing mainframe system software, do not have clearly\n  defined job descriptions.\n\n  As a result, EPA management does not have sufficient oversight processes in\n  place to assure the operating environment of the mainframe. In addition,\n  management does not have processes to determine whether controls are in place\n  and working as intended. As noted in Appendix A, we found instances where\n  current security configurations and settings could be exploited through backdoors\n  to the system. Given the lack of adequate management authorization and review\n  of programmers\xe2\x80\x99 access/privileges and system programmers\xe2\x80\x99 activities, the risk of\n  exploitation of these weaknesses is increased.\n\n  Furthermore, without logging of system changes and access, management does\n  not have a record to confirm that approved system activity and settings are\n  appropriate. As such, programmers could make unauthorized changes to sensitive\n  datasets and libraries, and management would not have a method to detect the\n  activity. We discuss the specific mainframe technical weaknesses in Appendix A.\n\n\n\n\n                                   5\n\n\x0c        Following issuance of the draft audit report, EPA management took steps toward\n        implementing corrective action to address these weaknesses. EPA updated the\n        Enterprise Server Standards and Procedures document to require the monitoring\n        of sensitive programs and utilities. EPA also updated the Enterprise Server\n        Standards and Procedures document to require reviews of the system activity\n        during weekly status meetings. EPA management also revised the Enterprise\n        Server (Mainframe) Security Plan to include a process for documenting and\n        reviewing/revalidating management approvals of system software access.\n\n        Additionally, in response to the draft audit report, EPA management provided us\n        with examples of minutes from the weekly status meetings with the primary\n        support contractor. EPA management felt the meeting minutes documented\n        management\xe2\x80\x99s review and approval of the primary contractor activity. We noted\n        that the meeting minutes did not sufficiently document evidence of management\n        discussions or reviews of the primary support contractor\xe2\x80\x99s implementation of\n        system software configurations, security settings, and access controls in\n        adherence with EPA guidelines.\n\n        Management also provided us with a position description for an EPA\n        management official with mainframe security responsibility. Our review noted\n        that the position description defined major duties such as developing application\n        programs and performing risk and security assessments. However, the position\n        description did not document responsibility for monitoring and routinely\n        reviewing mainframe system software to help ensure that the primary support\n        contractor appropriately implements controls.\n\nRecommendations\n        We recommend that the Director for the Office of Technology Operations and\n        Planning (OTOP):\n\n        1.\t Enforce implementation of updated policies and procedures for (a)\n            documenting and reviewing/revalidating management approvals of\n            programmers\xe2\x80\x99 access and privileges to sensitive datasets, libraries, utilities,\n            and programs including the continued use of the newly created Programmer\n            Access and Privileges form and (b) logging and monitoring the use of\n            sensitive utilities and programs. Additionally, ensure NCC personnel are\n            conducting, at a minimum, monthly reviews of programmer\xe2\x80\x99s\n            access\\privileges in accordance with EPA guidance and maintaining on file\n            the reviews and any followup actions taken to investigate any exceptions.\n\n        2.\t Revise the mainframe security position description to include responsibilities\n            for monitoring and routinely reviewing mainframe system software updates to\n            help ensure the primary support contractor appropriately implements the\n            controls. Additionally, ensure the position description requires the EPA\n\n\n\n                                          6\n\n\x0c            personnel to document and retain copies of EPA management reviews of\n            system software.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation\n         Management officials generally agreed with the recommendations. EPA\n         management has updated and formalized its processes for documentation of\n         approval for system software access. Additionally, management has updated\n         EPA\xe2\x80\x99s Standards and Procedures for the NCC Enterprise Server to include a\n         matrix on EPA and federal contractor personnel roles and responsibilities as it\n         applies to managing the mainframe system software activities.\n\n         Following receipt of the Agency\xe2\x80\x99s response to the draft report, we held a meeting\n         with NCC officials to clarify the findings and recommendations reported in this\n         chapter. During the meeting, the auditors agreed to revise the findings and\n         recommendations discussed in this chapter to more accurately communicate the\n         information provided. NCC officials agreed to provide additional documentation\n         for the audit team\xe2\x80\x99s consideration and review. The revisions to the findings and\n         recommendations and our evaluation of the additional documentation provided by\n         NCC are reflected in this report.\n\n\n\n\n                                          7\n\n\x0c                      Chapter 4\nChange Controls Need Improvements\n\nWe noted that EPA has documented policies and procedures regarding system\nsoftware change controls. This guidance includes practices for normal and\nemergency system software changes. However, during testing of the selection of\nchange requests, we found that EPA management is not (1) enforcing current\npolicies and procedures and (2) providing the necessary oversight to ensure\nmainframe system software changes are appropriate. We found software changes\nare not adequately and consistently authorized, tested, approved, implemented, or\nreconciled. Specifically, during fieldwork we noted that:\n\n\xc2\xbe\t Thirteen percent (2 of 15) of selected change requests (CRs) were tested prior\n   to implementation into the production environment. Additionally, one CR\n   was incorrectly entered as an emergency change and subsequently incorrectly\n   automatically approved.\n\n\xc2\xbe\t Documentation of the review of end-user and programmer testing results for\n   changes is not maintained.\n\n\xc2\xbe\t Documentation of CR approval for 73 percent (11 of 15) of selected CR was\n   maintained on file. The emergency CR was one of the four without the\n   required documented approval.\n\n\xc2\xbe\t EPA was unable to provide evidence that Agency personnel routinely conduct\n   steps to (1) identify and select the changes that should be implemented based\n   on management\xe2\x80\x99s determination and (2) analyze the impact of planned\n   changes on the security and processing reliability of the mainframe\n   environment.\n\n\xc2\xbe\t A reconciliation of changes made to the mainframe production environment to\n   approved changes does not exist.\n\n\xc2\xbe\t System programmers have access to test and production environments and are\n   often responsible for implementing their own changes in the production\n   mainframe environment.\n\nThese weaknesses exist because the NCC does not enforce the existing policy for\nauthorizing, testing, and approving system software changes. Nor does\nmanagement consistently document its oversight practices to help ensure all\nsystem changes are approved and implemented as intended. Based upon our\nreview of procedures and standards and inquiry of NCC officials, we determined\nthat policies and/or procedures requiring the routine analysis of costs and benefits\n\n\n\n                                  8\n\n\x0c        of changes and the consideration of the impact on processing reliability and\n        security prior to implementation had not been formally or informally\n        implemented. Additionally, an audit trail, which would assist management to\n        reconcile approved to implemented system changes, does not exist. Furthermore,\n        EPA management is not enforcing segregation of duties for systems programmers\n        to prevent an individual from testing changes and consequently, implementing\n        their own changes into the production environment.\n\n        Changes that are not adequately authorized, tested, and approved prior to\n        implementation could result in the implementation of unauthorized and\n        potentially inaccurate program changes. This could possibly lead to corruption of\n        data or system downtime. As a result, the operating environment may be\n        adversely impacted or system failures may occur. Furthermore, when a single\n        programmer is responsible for testing a change and implementing that same\n        change, there is the increased risk of the change control process being\n        inadvertently or willfully subverted. This could result in unauthorized system\n        changes being placed into production without the Agency\xe2\x80\x99s knowledge.\n\n        In response to the draft audit report, EPA management took steps to implement\n        corrective actions to address the finding. Management updated the Enterprise\n        Server Standards and Procedures to document a process for reconciling changes\n        through the use of a new change activity reports and Remedy system logs of\n        approved changes. The new procedures require management to review system\n        changes at weekly meetings with the primary support contractor and monitor\n        change activity reports. We determined that the new process, once implemented,\n        will be a key component in helping EPA management identify any unapproved\n        changes introduced in the mainframe environment. However, the process will not\n        validate that all approved changes have been properly implemented and\n        documented in accordance with existing change control procedures. The\n        reconciliation process should include a comparison of a report of the changes\n        approved by management with a system generated change activity report that\n        includes an official record of the changes implemented into production. The\n        reports should include dates of management approval and implementation to\n        provide the ability to validate that approvals and implementation are occurring in\n        a timely manner.\n\n        Upon inspection of a sample change activity report provided by NCC\n        management, we noted that activity details, such as the type of action performed\n        on the datasets (i.e., update, alter, etc.), associated with the logged user action is\n        not included in the report. We also noted the updated Enterprise Server\n        Standards and Procedures document does not identify who is responsible for\n        conducting the new reconciliation procedures.\n\nRecommendations\n        We recommend that the Director for OTOP:\n\n\n                                           9\n\n\x0c         3.\t Issue a memorandum to the National Computer Center (NCC) reinforcing\n             management\xe2\x80\x99s responsibility for complying with applicable Agency policy for\n             system change management.\n\n         4.\t Direct the NCC to develop and implement a management review process to\n             help ensure personnel are following procedures for testing, approving, and\n             implementing system software changes. Ensure the developed procedures\n             require NCC management to document management\xe2\x80\x99s review of (1) system\n             changes before implementing into production and (2) emergency changes to\n             the mainframe to confirm all required procedures were followed.\n\n         5.\t Update the Enterprise Server Standards and Procedures to include procedures\n             for documenting mainframe change management decisions. Ensure the\n             procedures include identifying and documenting (1) the steps management\n             uses to identify the changes to implement and (2) management\xe2\x80\x99s assessment\n             of the impact of planned changes on the security and reliability of the\n             mainframe processing environment.\n\n         6.\t Implement the newly developed reconciliation procedures and ensure that an\n             audit trail of changes made to production datasets is maintained and compared\n             to approved/authorized changes. Revise the new procedures to (1) assign\n             related responsibilities to the appropriate individuals; (2) log modifications\n             made to production datasets, to include logging user IDs and actions\n             performed (i.e., alter, update, etc); and (3) retain evidence of the mandated\n             daily reviews, reconciliations, and followup actions.\n\n         7.\t Conduct and document a review of the business need for systems\n             programmers to test and implement their own changes into the production\n             environment. If EPA management makes the determination that these duties\n             cannot be segregated amongst different individuals, then implement\n             compensating controls to prevent one individual from having complete control\n             of the change process and update the Enterprise Server Standards and\n             Procedures and the Enterprise Server Security Plan, accordingly.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation\n\n         Management generally disagreed with these recommendations. Management\n         believes the EPA\xe2\x80\x99s operational approvals are recorded within the Remedy Change\n         Control System. Additionally, all changes are discussed and documented during\n         the weekly Enterprise Server (Mainframe) manger\xe2\x80\x99s meeting with the primary\n         support contractors. A review of proposed system software changes and post\n         review of changes are performed, reconciled, and maintained on file with the\n         primary support contractor.\n\n\n\n\n                                         10\n\n\x0cManagement has implemented mitigating controls to prevent system programmer\nfrom testing and implementing their own changes into the production\nenvironment. System administrators need concurrence from back-up system\nadministrators prior to product implementation.\n\nFollowing receipt of the Agency\xe2\x80\x99s response to the draft report, we held a meeting\nwith NCC officials to clarify the findings and recommendations reported in this\nchapter. During the meeting the auditors agreed to revise the findings and\nrecommendations discussed in this chapter to more accurately communicate the\ninformation provided. NCC officials agreed to provide additional documentation\nfor the audit team\xe2\x80\x99s consideration and review. The revisions to the findings and\nrecommendations and our evaluation of the additional documentation provided by\nNCC are reflected in this report.\n\n\n\n\n                                11\n\n\x0c                              Chapter 5\n Policies, Procedures, and Manuals Can Be Improved\n\n        NCC management needs to improve its structure for defining the NCC\xe2\x80\x99s overall\n        security program. EPA\xe2\x80\x99s Information Security Manual requires organizational\n        heads to establish an information security program that implements Agency-level\n        information security policies and procedures. Although EPA management has\n        listed datasets in the updated Enterprise Server Standards and Procedures\n        document, EPA has not documented (1) specifications that EPA management uses\n        for determining which system datasets are considered sensitive and (2) procedures\n        for using system utilities to monitor and review the use of sensitive programs on\n        the mainframe. In particular, we noted that:\n\n        \xc2\xbe\t During audit fieldwork, EPA has not documented sensitive system datasets in\n           existing policies or procedures. Following issuance of the draft audit report,\n           NCC management resolved this finding by updating the Enterprise Server\n           Standards and Procedures document to include the list of sensitive datasets.\n\n        \xc2\xbe\t The Office of Environmental Information (OEI) Information Security Manual\n           and the EPA Information Security Manual, which include policies and\n           procedures for limiting access to system software, have not been updated for\n           at least 4 years. OEI management is currently updating these guidance\n           documents and the revisions have not been finalized and officially approved.\n\n        Promulgated and up-to-date policies, procedures, and standards serve as\n        management\xe2\x80\x99s communication of the organization\xe2\x80\x99s standards that must be met.\n        Without clearly defined requirements, management does not have an effective\n        basis to evaluate performance outcomes against expectations. As such, there is an\n        increased likelihood of:\n\n        \xc2\xbe\t unauthorized or inappropriate use of sensitive programs going undetected, or\n\n        \xc2\xbe\t inadequate monitoring of system resources necessary to assure the integrity of\n           data processed by the mainframe.\n\nRecommendations\n        We recommend that the Director of OTOP:\n\n        8.\t Update the Enterprise Server Standards and Procedures document to include\n            (1) specifications that EPA management uses for determining which system\n            datasets are considered sensitive and (2) procedures for using system utilities\n            to monitor and review the use of sensitive programs on the mainframe.\n\n\n\n                                         12\n\n\x0c         9.\t Complete efforts to update the Office of Environmental Information (OEI)\n             Information Security Manual and the EPA Information Security Manual.\n             Subsequent to finalizing the changes, ensure the manuals are (1) reviewed\n             timely by EPA management for adequacy, accuracy, and completeness; and\n             (2) approved by EPA management in a timely manner.\n\n         10. Establish a Plan of Action and Milestone (POA&M) for all weaknesses\n             identified in Chapters 3, 4, 5 and Appendix A.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation\n         Management concurred with these recommendations.\n\n         Following receipt of the Agency\xe2\x80\x99s response to the draft report, we held a meeting\n         with NCC officials to clarify the findings and recommendations reported in this\n         chapter. Although management concurred with our recommendations, the\n         auditors agreed to revise the findings presented in this chapter to more accurately\n         communicate the information provided. NCC officials agreed to provide\n         additional documentation for the audit team\xe2\x80\x99s consideration and review. The\n         revisions to the findings and our evaluation of the additional documentation\n         provided by NCC are reflected in this report.\n\n\n\n\n                                          13\n\n\x0c              Status of Recommendations and Potential\n                          Monetary Benefits\n\n                                                                                                                          POTENTIAL MONETARY\n                                               RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                              Planned\nRec.   Page                                                                                                  Completion   Claimed    Agreed To\nNo.     No.                          Subject                           Status1         Action Official          Date      Amount      Amount\n\n 1      6     Enforce implementation of updated policies and             U       Director, Office of                         0\n              procedures for (a) documenting and                                 Technology Operations and\n              reviewing/revalidating management approvals of                     Planning\n              programmers\xe2\x80\x99 access and privileges to sensitive\n              datasets, libraries, utilities, and programs including\n              the continued use of the newly created\n              Programmer Access and Privileges form and (b)\n              logging and monitoring the use of sensitive utilities\n              and programs. Additionally, ensure NCC\n              personnel are conducting, at a minimum, monthly\n              reviews of programmer\xe2\x80\x99s access\\privileges in\n              accordance with EPA guidance and maintaining on\n              file the reviews and any followup actions taken to\n              investigate any exceptions.\n\n 2      6     Revise the mainframe security position description         U       Director, Office of                         0\n              to include responsibilities for monitoring and                     Technology Operations and\n              routinely reviewing mainframe system software                      Planning\n              updates to help ensure the primary support\n              contractor appropriately implements the controls.\n              Additionally, ensure the position description\n              requires the EPA personnel to document and retain\n              copies of EPA management reviews of system\n              software.\n\n 3      10    Issue a memorandum to the National Computer                U       Director, Office of                         0\n              Center (NCC) reinforcing management\xe2\x80\x99s                              Technology Operations and\n              responsibility for complying with applicable Agency                Planning\n              policy for system change management.\n\n 4      10    Direct the NCC to develop and implement a                  U       Director, Office of                         0\n              management review process to help ensure                           Technology Operations and\n              personnel are following procedures for testing,                    Planning\n              approving, and implementing system software\n              changes. Ensure the developed procedures\n              require NCC management to document\n              management\xe2\x80\x99s review of (1) system changes\n              before implementing into production and (2)\n              emergency changes to the mainframe to confirm all\n              required procedures were followed.\n\n 5      10    Update the Enterprise Server Standards and                 U       Director, Office of                         0\n              Procedures to include procedures for documenting                   Technology Operations and\n              mainframe change management decisions.                             Planning\n              Ensure the procedures include identifying and\n              documenting (1) the steps management uses to\n              identify the changes to implement and (2)\n              management\xe2\x80\x99s assessment of the impact of\n              planned changes on the security and reliability of\n              the mainframe processing environment.\n\n\n\n\n                                                                             14\n\n\x0c                                                                                                                               POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                                   Planned\n    Rec.    Page                                                                                                  Completion   Claimed    Agreed To\n    No.      No.                          Subject                           Status1         Action Official          Date      Amount      Amount\n\n     6       10     Implement the newly developed reconciliation              U       Director, Office of                         0\n                    procedures and ensure that an audit trail of                      Technology Operations and\n                    changes made to production datasets is                            Planning\n                    maintained and compared to approved/authorized\n                    changes. Revise the new procedures to (1) assign\n                    related responsibilities to the appropriate\n                    individuals; (2) log modifications made to\n                    production datasets, to include logging user IDs\n                    and actions performed (i.e., alter, update, etc); and\n                    (3) retain evidence of the mandated daily reviews,\n                    reconciliations, and followup actions.\n\n     7       10     Conduct and document a review of the business             U       Director, Office of                         0\n                    need for systems programmers to test and                          Technology Operations and\n                    implement their own changes into the production                   Planning\n                    environment. If EPA management makes the\n                    determination that these duties cannot be\n                    segregated amongst different individuals, then\n                    implement compensating controls to prevent one\n                    individual from having complete control of the\n                    change process and update the Enterprise Server\n                    Standards and Procedures and the Enterprise\n                    Server Security Plan, accordingly.\n\n     8       12     Update the Enterprise Server Standards and                U       Director, Office of                         0\n                    Procedures document to include (1) specifications                 Technology Operations and\n                    that EPA management uses for determining which                    Planning\n                    system datasets are considered sensitive and (2)\n                    procedures for using system utilities to monitor and\n                    review the use of sensitive programs on the\n                    mainframe.\n\n     9       13     Complete efforts to update the Office of                  U       Director, Office of                         0\n                    Environmental Information (OEI) Information                       Technology Operations and\n                    Security Manual and the EPA Information Security                  Planning\n                    Manual. Subsequent to finalizing the changes,\n                    ensure the manuals are (1) reviewed timely by EPA\n                    management for adequacy, accuracy, and\n                    completeness; and (2) approved by EPA\n                    management in a timely manner.\n\n    10       13     Establish a Plan of Action and Milestone (POA&M)          U       Director, Office of                         0\n                    for all weaknesses identified in Chapters 3, 4, 5                 Technology Operations and\n                    and Appendix A.                                                   Planning\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                  15\n\n\x0c                                                                           Appendix A\n\nDetails of Findings Related to Technical Controls Over\n           Sensitive Datasets and Programs\n\n      This Appendix is for restricted distribution. This Appendix contains\n      material that is confidential business information, proprietary\n      information, or source selection information. Unauthorized disclosure\n      of this Appendix or any of its content may violate the provisions of the\n      Trade Secrets Act, 18 U.S.C. 1905; the Procurement Integrity Act, 41\n      U.S.C. 423; the Freedom of Information Act, 5 U.S.C. 552; the Privacy\n      Act, 5 U.S.C. 552a; and/or the Federal Acquisition Regulation, Section\n      3.104 (48 CFR 3.104). Due to the sensitive nature of these findings, the\n      Office of Inspector General removed this Appendix from the public\n      version of the report. For a complete copy of this report, contact the\n      Environmental Protection Agency, Office of Inspector General, Office\n      of Congressional and Public Liaison at (202) 566-2391.\n\n\n\n\n                                        16\n\n\x0c                                                                     Appendix B\n\nAgency Response to Technical Control Findings\n          Disclosed in Appendix A\n   This Appendix is for restricted distribution. This Appendix contains\n   material that is confidential business information, proprietary\n   information, or source selection information. Unauthorized\n   disclosure of this Appendix or any of its content may violate the\n   provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement\n   Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5\n   U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal\n   Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the\n   sensitive nature of these findings, the Office of Inspector General\n   removed this Appendix from the public version of the report. For a\n   complete copy of this report, contact the Environmental Protection\n   Agency, Office of Inspector General, Office of Congressional and\n   Public Liaison at (202) 566-2391.\n\n\n\n\n                                   17\n\n\x0c                                                                              Appendix C\n\n         Agency Response to Draft Audit Report\n\n                                   September 5, 2006\n\nMEMORANDUM\n\nSUBJECT:      Office of Environmental Information Response to Draft Audit Report:\n              EPA Could Improve Controls Over Mainframe System Software\n              Assignment/Project No: 2006-000215\n\nFROM:\t        Linda A. Travers\n              Acting Assistant Administrator and Chief Information Officer\n\nTO:           Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n              Office of Inspector General\n\n\nThank you for the opportunity to respond to the draft audit report conducted by KPMG, LLC\non behalf of the U.S. Environmental Protection Agency, Office of the Inspector General\n(OIG). The Office of Environmental Information (OEI) has placed great emphasis on\nbuilding and maintaining a secure mainframe environment as noted by observations made in\nthe report regarding the proactive approach of EPA/OEI to improve mainframe system\nsoftware controls, while protecting the Agency\xe2\x80\x99s information assets. It is also important to\nnote that while many of the findings highlight improvements in procedural documentation,\nthe report was clear to point out the absence of any security breaches in mainframe system\nsoftware.\n\nAttached is OEI\xe2\x80\x99s response to the audit recommendations and specific comments on the\nfindings. Please contact Marian Cody, Director, Technology and Information Security Staff\nand Chief Information Security Officer, at 202-566-0302, if you have any questions\nregarding our comments. Thank you again for the opportunity to respond.\n\nAttachments\n\n\n\n\nLinda A. Travers\nActing Assistant Administrator and Chief Information Officer\nOffice of Environmental Information,\nEnvironmental Protection Agency\nRoom 5000 AR North\n\n\n\n                                           18\n\n\x0cChapter 3: Improvements Needed in the Assignment of Roles and Responsibilities\n\nOIG Recommendations (in bold):\n\nWe recommend that the Director of Office of Technology Operations and Planning (OTOP)\nshould:\n\n1. Develop and implement formalized processes in accordance with existing policy for\ndocumenting approvals of system software access, conducting periodic\nreviews/revalidation of access, and maintaining related documentation on file. Also,\nclearly and formally assign roles and responsibilities and hold personnel accountable\nfor the performance of the processes.\n\nOEI Response:\n\nOEI accepts this recommendation. OEI has updated and formalized its processes for\ndocumentation of approvals for system software access. The processes are documented in\nthe Enterprise Server (Mainframe) Security Plan. In addition, OEI has created a Programmer\nAccess and Privileges Form to document management approvals.\n\nOEI conducts weekly reviews of system software access with the Primary Support\nContractor. This process is documented in the Enterprise Server (Mainframe) Security Plan.\n\nDocumentation of reviews is maintained in the National Computer Center (NCC) Records\nManagement Center.\n\nRoles and responsibilities are formally assigned. However, to clarify the assignment, a Roles\nand Responsibilities Matrix has been incorporated into the EPA Standards and Procedures\nfor the Enterprise Server (Mainframe) (Section 13.7 and Appendix G).\n\n2. Conduct periodic management reviews to ensure that the processes are appropriately\nperformed and effective.\n\nOEI Response:\n\nOEI disagrees with this recommendation. On a weekly basis, management reviews approvals\nfor system software access. Further, OEI has updated the Enterprise Server Security Plan to\nincorporate this process.\n\n3. Identify NCC management responsible for security of the mainframe system software\nand implement periodic EPA management reviews of system software to ensure that\nprimary support contractors have implemented controls in compliance with existing\nregulations, policies, procedures, and guidelines.\n\nOEI Response:\n\n\n\n\n                                           19\n\n\x0cOEI disagrees with this recommendation. In accordance with the NCC Enterprise Server\n(Mainframe) Security Plan, responsibility for maintaining the integrity of the mainframe\nsystem belongs to the EPA Enterprise Server (Mainframe) Manager. On a weekly basis,\nmanagement reviews approvals for system software security controls. In addition, OEI uses\na commercial auditing tool to measure compliance with existing mainframe policies\nprocedures, and guidelines. These practices are all documented in the Enterprise Server\nSecurity Plan.\n\n4. Perform, document, and maintain file reviews of controls for monitoring the use of\nsensitive system utilities.\n\nOEI Response:\n\nOEI disagrees with this recommendation. Auditing Procedures for the Enterprise Server\n(Mainframe) are documented in the Enterprise Server Security Plan. The EPA Primary\nSupport Contractor reviews security audit logs and maintains the results of these reviews for\nat least three years. In addition, oversight is periodically performed by the EPA Enterprise\nServer (Mainframe) manager and results of these EPA reviews are maintained in the NCC\nRecords Management Center. Listed below are the logs reviewed and their frequency:\n\xe2\x80\xa2\t Quarterly\n     - (Data Set profile reports (UACC accesses))\n     - Bypass Label Processing (BLP)\n     - Authorized Program Facility (APF) for sensitive data sets\n\xe2\x80\xa2\t Monthly\n     - Trivial Password reports\n     - Supervisory Command (SVC) reports (systems special mainframe system security\n         administrators and backup processes)\n\xe2\x80\xa2\t Weekly\n     - DSMON reports (operating system integrity procedure)\n\n5. Implement processes to correct technical mainframe weaknesses identified in\nAppendix A.\n\nPlease see OEI\xe2\x80\x99s specific response listed below.\n\nChapter 4: Change Controls Need Improvements\n\nOIG Recommendations (in bold)\n\nWe recommend that the Director of Office of Technology Operations and Planning (OTOP)\nshould:\n\n6. Ensure that formal procedures supporting existing Agency policies and standards\nrelated to system software changes are developed, implemented, and enforced with\nappropriate EPA management oversight.\n\n\n\n\n                                            20\n\n\x0cOEI Response:\n\nOEI disagrees with this recommendation. EPA Standards & Procedures for the Enterprise\nServer (Mainframe) documents procedures for system software changes.\n\nThe Remedy Change Control System is the official process for system software changes and\napprovals. EPA NCC\xe2\x80\x99s operational approval is recorded within the Remedy Change Control\nSystem.\n\nAdditionally, all changes are discussed and documented during the weekly Enterprise Server\n(Mainframe) manager meetings with the Primary Support Contractor. During this meeting, a\nreview of proposed system software changes, as well as a post review of changes is\nperformed, reconciled and documented. Documentation is on file with the Primary Support\nContractor.\n\n7. Maintain an audit trail of changes implemented into production. The audit trail\nshould be used by management to review and reconcile implemented changes to\napprove system software changes and to ensure that changes are appropriately\nauthorized.\n\nOEI Response:\n\nOEI disagrees with this recommendation. The Remedy Change Control System is the\nofficial process for system software changes and approvals. This system also provides for\nOEI\xe2\x80\x99s official audit trail of software changes.\n\nEPA NCC\xe2\x80\x99s operational approval is recorded within the Remedy Change Control System.\nAdditionally, a system of checks and balances is in place for change requests requiring\nindependent approval from the NCC\xe2\x80\x99s operational security and hosting operations groups.\nThe approvals are recorded in the Remedy Change Control System. These groups consist of\nboth federal and contracting staff.\n\nAll changes are discussed and documented during the weekly Enterprise Server (Mainframe)\nmanager\xe2\x80\x99s meetings with the Primary Support Contractor. During this meeting, a review of\nproposed systems software changes, as well as post review of changes are performed and\ndocumented. Documentation is on file with the Primary Support Contractor.\n\n8. Review the business need for systems programmers to test and implement their own\nchanges into the production environment. If EPA management makes the\ndetermination that these duties cannot be segregated amongst different individuals,\ncompensating controls should be put in place to prevent complete control of the change\nprocess by one individual.\n\nOEI Response:\n\n\n\n\n                                           21\n\n\x0cOEI accepts this recommendation. The Primary Support Contractor\xe2\x80\x99s IBM Systems group\nconvenes weekly to discuss all changes, including test results before changes are\nimplemented in the production environment. Additionally, as described above, EPA\nperforms oversight of this process through the weekly Enterpriser Server (Mainframe)\nmanager\xe2\x80\x99s meeting.\n\nFormal documentation of testing results by the system administrator responsible for\ninstallation of a specified product is required and must include concurrence from the back-up\nsystem administrator prior to production implementation. EPA Standards and Procedures\nfor the Enterprise Server (Section 4.2).\n\nWhere total separation of duties is not practical due to limited staffing, mitigating controls\nhave been put into place. In accordance with formal processes, system administrators are\nresponsible for testing of the specific product prior to implementation and concurrence from\nthe back up system administrator is required prior to production implementation. EPA\nperforms oversight of the process through the weekly meeting.\n\nChapter 5: Policies, Procedures, and Manuals Can Be Improved\n\nOIG Recommendations (in bold):\n\nWe recommend that the Director of Office of Technology Operations and Planning (OTOP)\nshould:\n\n9. Develop and implement formal procedures and guidelines for ensuring that\nappropriate access control software configuration settings for the EPA\xe2\x80\x99s mainframe\nenvironment are implemented. As noted in chapter 3, accountability of associated roles\nand responsibilities should be clearly defined and assigned.\n\nOEI Response:\n\nOEI disagrees with this recommendation. OEI has formal procedures requiring reviews of\nresource access violations and system logs for other potential security violations. To\nstrengthen this practice, OEI will update its procedures to reflect an additional compensating\ncontrol by which the Primary Support Contractor audits the IBM Systems group\xe2\x80\x99s use of\nsensitive programs. Anomalies and suspected computer security incidents are reported to the\nAgency\xe2\x80\x99s CSIRC.\n\n10. Identify and document sensitive datasets in existing policies and standards.\n\nOEI Response:\n\nOEI disagrees with this recommendation. The list of datasets is maintained in the EPA\nStandards and Procedures for the Enterprise Server. Industry standards for the mainframe\nindustry do not recommend specifically identifying datasets as \xe2\x80\x9csensitive\xe2\x80\x9d in system\ndocumentation for security reasons.\n\n\n\n                                            22\n\n\x0c11. Develop and implement clearly defined formal procedures for monitoring and\nreviewing the use of sensitive programs on the mainframe. Ensure that accountability\nof roles and responsibilities are clearly defined and assigned.\n\nOEI Response:\n\nOEI accepts this recommendation.\n\n12. Complete the ongoing efforts to update outdated security manuals. The manuals\nshould be reviewed by EPA management for adequacy, accuracy, completeness and\napproved by EPA management in a timely manner.\n\nOEI Response:\n\nOEI accepts this recommendation. OEI acknowledges the need to update the EPA & OEI\nInformation Security Manuals.\n\n13. Establish a Plan of Action and Milestone (POA&M) for all weaknesses identified in\nthis report.\n\nOEI Response:\n\nOEI accepts this recommendation.\n\n\n\n\n                                        23\n\n\x0c                                                                                    Appendix D\n\n                                     Audit Criteria\n\nThe following details the laws, requirements, and/or guidelines used as criteria in guiding our\naudit of information system controls over access to and modification of mainframe system\nsoftware at the National Computer Center in Research Triangle Park.\n\nImprovements Needed in the Assignment of Roles and Responsibilities\n\n\xc2\xbe\t The OEI Information Security Manual, Sections 7.3, states:\n\n   \xe2\x80\x9cInformation Managers must receive a signed written request from a designated manager\n   prior to creating an account or assigning privileges.\n\n   \xc2\x83\t The written request must provide the user\xe2\x80\x99s name and explicitly detail the access\n      privileges requested. Creation of User accounts or assignment of access privileges\n      without the approved written request is forbidden.\n\n   \xc2\x83\t If a request is received via e-mail, the request will be verbally confirmed with the\n      requester prior to granting access privileges, and the e-mail annotated with the date and\n      time of the verbal verification.\xe2\x80\x9d\n\n   Additionally, Section 7.5 of the manual states:\n\n   \xe2\x80\x9cInformation Managers will conduct a monthly review of logs, support requests, inventories,\n   authorized user lists, previous review findings, and/or technical problems and corrections for\n   their information system(s) to help identify any current, recurring, or potential problems.\n   Information Managers will attempt to resolve any discrepancies and, where necessary,\n   present review findings to the appropriate management.\xe2\x80\x9d\n\n\xc2\xbe\t National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An\n   Introduction to Computer Security \xe2\x80\x93 The NIST Handbook, states:\n\n   \xe2\x80\x9cFrom time to time, it is necessary to review user account management on a system. Within\n   the area of user access issues, such reviews may examine the levels of access each individual\n   has, conformity with the concept of least privilege, whether all accounts are still active,\n   whether management authorizations are up-to-date, whether required training has been\n   completed, and so forth.\xe2\x80\x9d\n\n   \xe2\x80\x9cThe responsibilities and accountability of owners, providers, and users of computer systems\n   and other parties concerned with the security of computer systems should be explicit.\xe2\x80\x9d\n\n\n\n\n                                                24\n\n\x0c   \xe2\x80\x9cIn effect, checks and balances need to be designed into both the process as well as the\n   specific, individual positions of personnel who will implement the process. Ensuring that\n   such duties are well defined is the responsibility of management.\xe2\x80\x9d\n\n   \xe2\x80\x9cSoftware is the heart of an organization's computer operations, whatever the size, and\n   complexity of the system. Therefore, it is essential that software function correctly and be\n   protected from corruption. Organizations should give care to the configuration and use of\n   powerful system utilities. System utilities can compromise the integrity of operating systems\n   and logical access controls.\xe2\x80\x9d\n\nChange Controls Need Improvement\n\n\xc2\xbe\t OTOP Directive 210.08, National Computer Center (NCC) Compatible Enterprise Server\n   Mainframe Security, Section 6.4 \xe2\x80\x93 Installation and Maintenance guides that all operating\n   system software installs, modifications, and maintenance will be conducted in a controlled,\n   accountable, and auditable manner.\n\n\xc2\xbe\t The EPA Enterprise Server Security Plan, states that:\n\n   The NCC computer systems are subject to formal change management and problem\n   management methodologies as follows:\n\n   \xe2\x80\xa2\t All operating system and application development software is placed in a test\n      environment before installation in the production environment.\n\n   \xe2\x80\xa2\t All applications running in the central database environment are placed in a test\n      environment before installation in the production environment.\n\n   \xe2\x80\xa2\t The test environments are isolated from the production environment in a manner that\n      prevents failures in the test environment from causing failures in the production\n      environment.\n\n   \xe2\x80\xa2\t All software and hardware upgrades must be approved by the NTSD technical manager\n      on the Change Management System before being applied to the production environment.\xe2\x80\x9d\n\n\xc2\xbe\t EPA\xe2\x80\x99s Standards and Procedures for the NCC Enterprise Server establishes numerous\n   standards and responsibilities related to system software changes, including the following:\n\n   \xe2\x80\xa2\t Whenever any product is changed, the product and anything else that might be affected\n      by that change must be tested, to include security.\n\n   \xe2\x80\xa2\t Review is conducted to delete any remaining test data sets after a production installation.\n\n   \xe2\x80\xa2\t NCC Systems Manager responsibilities include identifying the need for a product or\n      component upgrade and informing EPA of the need to install an upgrade.\n\n\n\n                                               25\n\n\x0c   \xe2\x80\xa2\t Systems programmer responsibilities included monitoring software installations and\n      upgrades to determine impact of the change on the system and customer community and\n      reviewing vendor information sources for any known problems or customer impact.\n\n\xc2\xbe\t Appendix III to Office of Management and Budget (OMB) Circular A-130, Security of\n   Federal Automated Information Resources, states guides that separation of duties is the\n   practice of dividing the steps in a critical function among different individuals. For example,\n   one system programmer can create a critical piece of operating system code, while another\n   authorizes its implementation. Such a control keeps a single individual from subverting a\n   critical process.\n\nPolicies, Procedures, and Manuals Can Be Improved\n\n\xc2\xbe\t The EPA Information Security Manual, Section 12 states:\n\n   \xe2\x80\x9cThis Information Security Manual is issued through the central program and presents\n   information security policy and procedure derived from the EPA IRM Policy Manual,\n   Chapter 8, Information Security. Each organization must establish an organizational\n   information security program that implements these Agency-level information security\n   policy and procedures.\xe2\x80\x9d\n\n   \xe2\x80\x9cThe procedural and technical methods used to achieve these goals will differ from\n   organization to organization because security controls must be based on the types of\n   information and information system platforms, threats, vulnerabilities, and level of risk for a\n   given organization. To be effective, all security controls must support the Program\xe2\x80\x99s policies\n   and goals.\xe2\x80\x9d\n\n\xc2\xbe\t NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, states:\n\n    \xe2\x80\x9cSoftware is the heart of an organization's computer operations, whatever the size, and\n   complexity of the system. Therefore, it is essential that software function correctly and be\n   protected from corruption. Organizations should give care to the configuration and use of\n   powerful system utilities. System utilities can compromise the integrity of operating systems\n   and logical access controls.\xe2\x80\x9d\n\n\xc2\xbe\t OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources,\n   states:\n\n   \xe2\x80\x9cA review of the security controls in each system and application should be performed when\n   significant modifications are made to the system, but at least every three years.\xe2\x80\x9d\n\nTechnical Controls Over Sensitive Datasets and Programs\n\n\xc2\xbe\t OTOP Directive 210.08, National Computer Center (NCC) Compatible Enterprise Server\n   Mainframe Security, Section 6.3 \xe2\x80\x93 Data Security and Integrity, states:\n\n\n\n\n                                               26\n\x0c   \xe2\x80\xa2\t \xe2\x80\x9cJob Control Language (JCL), programs, and CLISTs for production control applications,\n      and job schedulers for their execution, will be protected through mainframe system\n      security at a level sufficient to prevent their unauthorized access or destruction, as well as\n      prevent unauthorized changes to their mainframe system security profiles.\n\n   \xe2\x80\xa2\t Personnel responsible for maintaining automated job schedulers will develop procedures\n      to prevent exploitation of identified and inherent security exposures.\xe2\x80\x9d\n\n   Additionally, Section 6.4 of the Directive states:\n\n   \xe2\x80\xa2\t \xe2\x80\x9cAll operating system software will be protected from unauthorized access through\n      mainframe system security data set profiles. All access attempts will be audited through\n      mainframe system security.\n\n   \xe2\x80\xa2\t Operating system privileges will be restricted to the minimum required by designated\n      individuals or processes for the purpose of the specific system operation to be performed\n      and will be approved by the OTOP ADP Security Officer.\n\n   \xe2\x80\xa2\t NCC Primary Support Contract Enterprise Server Support will develop and maintain\n      procedures for requesting, granting, and rescinding privileges granted through operating\n      system software. The procedures will provide for the maintenance of a list of privileges\n      and personnel granted those privileges.\xe2\x80\x9d\n\n\xc2\xbe\t The EPA Information Security Manual, Sections 3.2, 10.3, 11.2.7, and 12, state that:\n\n   Everyone who uses or manages EPA\xe2\x80\x99s information must be held accountable for his/her\n   actions while using the Agency\xe2\x80\x99s information systems. EPA holds information system users\n   accountable for unauthorized activities. Unauthorized activities may result in intentional or\n   unintentional damage, inappropriate disclosure, or denial of access to information resources,\n   often referred to as denial of service. Information system owners and managers must ensure\n   that there is a positive means of identifying each user. General support systems and major\n   applications must have audit trails that maintain a record of each user\xe2\x80\x99s activities while\n   accessing the system or application. Audit trails must be reviewed regularly to ensure that\n   users are held accountable for their actions.\n\n   To the extent possible, the following functions within the Agency should be\n   assigned to different individuals:\n\n   \xe2\x80\xa2\t Data Creation and Control Functions\n      - Data collection and preparation\n      - Data entry\n      - Data base administration\n\n   \xe2\x80\xa2\t   Software Development and Maintenance Functions\n        - Applications programming\n        - Design review\n\n\n                                                27\n\n\x0c       - Application testing and evaluation\n       - Application maintenance\xe2\x80\x9d\n\n   Major applications containing moderately and highly sensitive information and all general\n   support systems must generate audit trails of accesses and changes to the system and to\n   information and applications at the individual user level.\n\n\xc2\xbe\t The Enterprise Server Security Plan, Section 3.6, states:\n\n   \xe2\x80\x9cData and software integrity are maintained through the following procedures:\n\n   \xe2\x80\xa2\t Limits on user privileges ensure that only data belonging to the user is accessed or\n      modified.\n   \xe2\x80\xa2\t Use and review of system audit trails.\n   \xe2\x80\xa2\t Restricting access to workstations used by Systems Programming personnel.\xe2\x80\x9d\n\n\xc2\xbe\t Office of Management and Budget Circular A-130, Appendix III, Security of Federal\n   Automated Information Resources, states:\n\n   \xe2\x80\x9cAgencies must \xe2\x80\x9cobtain written management authorization, based upon the \n\n   acceptance of risk to the system, prior to connecting with other systems. Where \n\n   connection is authorized, controls shall be established which are consistent with the \n\n   rules of the system and in accordance with guidance from NIST.\xe2\x80\x9d \n\n\n\xc2\xbe\t NIST SP 800-47, Security Guide for Interconnecting Information Technology\n   Systems, states:\n\n   \xe2\x80\x9cThe MOU/A [Memorandum of Understanding/Agreement] documents the terms and\n   conditions for sharing data and information resources in a secure manner.\n   Specifically, the MOU/A defines the purpose of the interconnection; identifies\n   relevant authorities; specifies the responsibilities of both organizations; and defines\n   the terms of agreement, including apportionment of costs and the timeline for\n   terminating or reauthorizing the interconnection.\xe2\x80\x9d\n\n\xc2\xbe\t NIST SP 800-53, Recommended Security Controls for Federal Information Systems, states:\n   \xe2\x80\x9cThe organization authorizes all connections from the information system to other\n   information systems outside of the accreditation boundary and monitors/controls the system\n   interconnections on an ongoing basis. Appropriate organizational officials approve\n   information system interconnection agreements.\xe2\x80\x9d\n\n\n\n\n                                               28\n\n\x0c                                                                                Appendix E\n\n                                    Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nDirector, Office of Technology Operations and Planning\nDirector, Technology and Information Security Staff\nDirector, National Computer Center\nChief, Security and Business Management Branch\nNational Computer Center Security Officer\nAudit Followup Coordinator, Office of Environmental Information\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                             29\n\n\x0c"